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^TJAbstract: The invenUon provides a method and system for scanning specialized computing devices for vinises. In a preferred 
emooaiment, a filer is connected to one or more supplementary computing devices that scan iwquested files to ensure diey are virus 

fiT-^^LTJ "^k'" "f!- 7^^" ^ •^"^'^ * ^'^ *^ ^*'"*'^'"« P""^*- ^ determines whether the 

devi^ nndl^Tn ^f°ri<l«"^«y to the end user. Second, the filer opens a channel to one of the external computing 

dev cfn^lr^K ^K^""*""; '=°™Puting device opens the file and scans it Fourth, the external computing 

device noufies the filer the results of the file scan operation. Fifth, the filer sends the file to the end user provided the status imUcates 
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DECENTRALIZED APPLIANCE VIRUS SCANNING 
Background of flie Invention 

5 7. Field of the Invention 

This invention relates to virus scanning in a networked environment 
2. Related Art 

10 

Computer networking and the Internet in particular offer end users 
unprecedented access to inforination of all types on a global basis. Access to 

infonnation can be as simple as connecting some type ofcomputing device using a 
standard phone line to a network. Witii tiie proliferation of wireless communication, 
1 5 users can now access computer networks from practically anywhere. 

Connectivity of this magnitude has magnified the impact of computer 
viruses. Viruses such as "MeUssa" and "I love you" had a devastating impact on 
computer systems worldwide. Costs for dealing with viruses are often measured in 
20 millions and tens of millions of dollars. Recently it was shown that hand-held 
computing devices are also susceptible to viruses. 

Virus protection software can be very effective in dealing with viruses, 
and virus protection software is widely available for general computing devices such 
25 as personal conqjuters. There are, however, problems unique to specialized 

computing devices, such as filers (devices dedicated to storage and retrieval of data). 
Off-the-shelf virus protection software will not run on aspecialized computing device 
unless it is modified to do so, and it can be very expensive to rewrite software to work 

on another platform. 

30 . •■• . • 



1 



PCT/USOl/46688 

A first known method is to scan for viruses at the data source. When 
the data is being provided by a specialized computing device the specialized 
computing device must be scanned Device-specific virus protection software must 
be written in order to scan tiie files on the device. 

5 

While this first known metiiod is effective in scanning files for viruses, 
it suffers from several drawbacks. First, a company with a specialized computing 
device would have to dedicate considerable resources to creating virus protection 
software and maintaining up-to^Iate data files that protect against new viruses as tiiey 
10 emeige. 

Additionally, although a manufacturer of a specialized conq)uting 
device could enlist tiie assistance of a company tiiat creates mainstteam virus 
protection software to write the custom appUcation and become a Ucensee this would 
15 oeate other problems, such as reliance on the chosen vendor of flie anti-virus 
software, compatibiUty issues when hardware upgrades are effected, and a large 
financial exp&ise. 

A second known method for protecting against computer viruses is to 
20 haveflieendusernmanti-virussoftwareontiieirclientdevice. Anti-virus software 
packages are offered by such conq)anies as McAfee and Symantec. These programs 
are loaded during tiie boot stage of a con9)uter and woric as a background job 
monitoring memory and files as tiiey are opened and saved. 

. While fliis second known metiiod is effective at intercepting and 

protecting tiie client device from infection, it suffeis from several drawbacks. It 
places the burden of detection at the last possible link in tiie chain. If for any reason 
tiie virus is not detected prior to reaching tiie end user it is now at flie computing 
device where it wiU do tiie most damage (comqjting files and spreading to otiier 
30 conqniterusexsandsj^ms). 
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It is much better to sanitize a file at the source from where it may be 
deUvered to miUions of end users rather than deliver (he file and hope that the end 
user is prq>ared to deal with the file in the event the file is infected. End users often 
have older versions of anti-virus software and'or have not updated the data files that 
ensure the software is able to protect against newly discovered viruses, thus making 
detection at the point of mass distribution even more critical. 

Also, hand-held computing devices are susceptible to viruses, but they 
are poorly equipped to handle them. Generally, hand-held computing devices have 
very Umited memory resources compared to desktop systems. Dedicating a portion 
of these resources to virus protection severely limits the abihty of the hand-held 
device to perform effectively: Reliable vmis scamiing at the information source is the 



Protecting against viruses is a constant battle. New viruses are created 
everyday requiring virus protection software manufacturers to come up with new data 
files (solution algorithms used by anti-virus ^Ucations). By providing pix>tection at 
the source of the file, viruses can be eliminated more efficiently and effectively. 

Security of data in general is important. EquaUy important is the trust 
of the end user. This comes 6om the r^utation that precedes a company, and 
companies that engage in web commerce often live and die by their reputation. Just 
like an end user trusts that the credit card number they have just disclosed for a web- 
based sales transaction is secure they w^t fil^ they receive to be just as secure 

r Ai^^y, it would be desirable to provide a technique for scamiing 
specialized computing devices for viruses and other malicious or miwanted content 
tbat may need to be changed, deleted, or otherwise modified. 
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The invention provides a method and system for scanning specialized 
computing devices (such as filers) for viruses. In a preferred embodiment, a filer is 
5 connected to one or more supplementary computing devices that scan requested files 
to ensure they are virus fi-ee prior to delivery to end users. When an end user requests 
a file firom the filer the following steps occur: First, the filer determines whether the 
file requested must be scanned before delivery to the end user. Second, the filer 
opens a channel to one of thie external computing devices and sends the filename. 
10 Third, the external computing device opens the file and scans it. Fourth, the extemal 
computing device notifies the filer the status of the file scan operation. Fifth, the filer 
sends the file to the end user provided the status indicates it may do so. 

This system is voy efficient and eflFective as a file needs only to be 
15 scanned one time for a vkus unless the file has been modified or new data files that 
protect against new viruses have been added. Scan reports for files that have been 
scanned may be stored in one or more of the external conq)uting devices, in one or 
more fileis, and some portion of a scan report may be delivered to end users. 

^® ^ alternative embodiments of the invention one or more of tiie extemal 

computing devices may be running other siqjplementary appUcations, such as file 
compression and encryption, indqpendentiy or in some combination. 



25 



Brief Description of the Drawings 

Figure 1 shows a block diagram of a system for decentralized appliance 
virus scaniung. 



Figure 2 shows a process flow diagram for a system for decentralized 
30 virus scanning 
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Detailed D escription of the Preferred Embodiment 

In tbe following description, a preferred embodiment of the invention is 
described with regard to preferred process steps and data structures. Those skiUed in 
5 the art would recognize after perusal of this application that embodiments of the 
invention can be implemented using one or more general purpose processor or 
special purpose processors or other circuits adapted to particular process steps and 
data structures described herein, and that implementation of the process steps and 
data stractures described herein would not require undue experimentation or further 
10 invention. 



Lexicography 

The following terms refer or relate to aspects of the invention as 
15 described below. The descriptions of general meanings of these terms are not 
intended to be limiting, only illustrative. 

• Virus -in general, a manmade program or piece of code that is loaded onto a 
computer without the computer user's knowledge and runs against their 
wishes. Most viruses can also replicate themselves, and the more dangerous 
types of viruses are capable of transmitting themselves across networks and 
bypassing security systems. 



20 
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ciient and server — in general, these terms refer to a relationship between two 
devices, particulariy to their relationship as cKent and server, not necessarily to 



■'^fm-'^mm!^ any particular physical devices. 



30 



For example, but without limitation, a particular cUait device in a first 
relationship with a first server device, can serve as a server device in a second 
relationship with a second client device. In a prieferred embodiment, there are 
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generally a relatively small number of server devices servicing a relatively 
larger nmnber of client devices. 
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client device and server device — in general, these terms refer to devices 
taking on the role of a client device or a server device in a cUent-server 
relationship (such as an HTTP web client and web server). There is no 
particular requirement that any client devices or server devices must be 
individual physical devices. They can each be a single device, a set of 
cooperating devices, a portion of a device, or some combination thereof 

For example, but without limitation, die client device and the server device in 
a client-server relation can actually be the same physical device, with a firat set 
of software elements serving to perform client functions and a second set of 
software elements serving to perform server functions. 



• web client and web server (or web site) — as used herein the terms 'Sveb 

client" and "web server'' (or "web site") refer to any combination of devices or 
software taking on the role of a web client or a web server in a client-server 
environment in the internet, the world wide web, or an equivalent or extension 
20 thereof. There is no particular requirement tiiat web clients must be individual 

devices. They can each be a single device, a set of cooperating devices, a 
portion of a device, or some combination thereof (such as for example a device 
providing web server services that acts as an agent of the user). 

25 As noted above, tiiese descriptions of general meanings of these terms 

are not intended to be limiting, only illustrative. Other and further applications of the 
inv^tion, including extensions of these terms and concepts, would be clear to those 
of ordinary skill in the art after pemsing this application. These other and further 
applications are part of the scope and spirit of the invention, and would be clear to 

30 those of ordinary skill in the art, without further invention or undue e>q>erimentation. 
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Figure 1 shows a block diagram of a system for decentralized appliance 
virus scanning. 

A system 100 includes a client device 1 10 associated with a user 1 11, a 
communications network 120, a filer 130, and a processing cluster 140. 

The client device 110 includes a processor, a main memory, and 
software for executing instructions (not shown, but underatood by one skiUed in the 
art). Although the cUent device 1 10 and filer 130 are shown as s^arate devices there 
is no requirement that they be physically separate. 

In a preferred embodiment, the communication network 120 includes 
the Internet. In altemative embodiments, the communication network 120 may 
include altemative fomis of communication, such as an intranet, extranet, virtual 
private network, direct communication links, or some other combination or 
conjunction thereof. 

A communications Imk 115 operates to couple the cUent device 110 to 
the communications network 120. 

The filer 130 includes a processor, a main memory, software for 
executing iristractions (not shown, but understood by one skiUed in the art), and a 
mass storage 131. Although the cUent device 1 10 and filer 130 are shown as separate 
d^ces there is no requirement that they be separate devices. The filer 130 is 
cormected to tiie communications network 120. 

The mass storage 131 includes at least one file 133 that is capable of 
being requested by a client device 110. 
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The processing cluster 140 includes one or more cluster device 141 
each including a processor, a main memory, software for executing instmctions, and a 
mass storage (not shown but understood by one skilled in Ihe art). Although the filer 
130 and the processing cluster 140 are shown as separate devices there is no 
requirement that they be separate devices. 

In a preferred embodiment the processing cluster 140 is a plurality of 
personal computers in an interconnected chister capable of intercommunication and 
direct communication with the filer 130. 

The cluster link 135 operates to connect the processing cluster 140 to 
the filer 130. The cluster link 135 may include non-uniform memory access 
(NUMA), or communication via an intranet, extranet, virtual jnivate network, direct 
co m m uni cation links, or some oHi&c combiiuttion or conjunction thexeof. 

Method of Operation 

Figure 2 shows a process flow diagram for a system for decentralized 
appliance virus scanning. 

A mediod 200 includes a set of flow points and a set of steps. The 
system 100 performs the method 200. Although the method 200 is described serially, 
the st3q>s of the method 200 can be performed by separate elements in conjimction or 
in parallel, whether asynchronously, in a pipelined manner, or otherwise. There is no 
particular requirement that the method 200 be performed in the same order in which 
this desociption lists the st^s, except where so indicated. 

At a flow point 200, the system 100 is ready to begin performing the 

method 200. 
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At a Step 201, a user 111 utilizes the client device 1 10 to initiate a 
request for a file 133. The request is transmitted to the filer 130 via the 
communications network 120. In a preferred embodiment the filer 130 is performing 
file retrieval and storage at the direction of a web server (not shown but understood 
by one skilled in the art). 

At a step 203, the filer 130 receives the request for the file 133 and 
sends flie file ID and path of the file 133 to the processing cluster 140 where it is 
received by one of the cluster device 141. 

At a step 205, the cluster device 141 uses the file ID and path to open 
Ihe fiOle 133 in the mass storage 131 of the filer 130. 

At a step 207, the cluster device 141 scans the file 133 for viruses. In a 
preferred embodiment, files are tasked to the processing cluster 140 in a round robin 
fashion. In alternative embodiments files may be processed individually by a cluster 
device 141, by multiple cluster device 141 simultaneously, or some combination 
thereof. Load balancing may be used to ensure mavimnm efficiency of processing 
widiin the processing cluster 140. 

There are several vendors offering virus protection software for 
personal computers, thus the operator of the filer 130 may choose whatever pixxluct 
they would like to use. They may even use combinations of vendors' products in the 
processmg cluster 140. In an alternative embodiment of the invention, contmual 
scaiming of every file 133 on the filer 130 may take place. 

The processing cluster 140 is highly scalable. The price of personal 
computers is low compared to dedicated devices, such as filers, therefore this 
configuration is very desirable. Additionally, a cluster configuration offers redundant 
systems availability in case a cluster device 141 foils - failover and takeover is also 
possible within the processing cluster. 
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At a Step 209, the clus^ device 141 transmits a scan report to the filer 
130. The scan report primarily reports v^ether the fUe is safe to send. Further 
information may be saved for statistical purposes (for example, how many files have 
5 been identified as infected, was the virus software able to sanitize the file or was the 
file deleted) to a database. The database may be consulted to determine whether the 
file 133 needs to be scaimed before delivery upon receipt of a subsequent request. If 
the file 133 has not changed since it was last scanned and no additional virus data 
files have been added to the processing cluster, the file 133 probably does not need to 
10 be scanned. This means the file 133 can be deliv^ied more quiddy. 

Other intermediary applications may also run separately, in conjunction 
with other applications, or in some cond>ination thereof within the processing cluster 
140. Compression and encryption utilities are some examples of these applications. 
15 These types of applications, including virus scanning, can be very CPU intensive, 
thus outsourciQg can yield better performance by allowing a dedicated device like a 
filer to do what it does best and farm out other tasks to the processing cluster 140. 

At a step 21 1, the filer 130 transmits or does not transmit the file 133 to 
20 the client 110 based on its availability as reported following the scan by the 

processing cluster 140. Some portion of the scan rqport may also be transmitted to 
the user. 



At this step, a request for a file 1 33 has been received, the i^uest has 
25 been processed, and if possible a file 133 has been delivered. The process may be 
repeated at step 201 for subsequent requests. 



Generality of the Invention 

30 The invention has wide ^plicability and generality to other aspects of 

processing requests for files. 

10 
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The invention is applicable to one or more of, or some combination of, 
circumstances such as those involving: 

• file compression; 

• file encryption; and 

• general outsourcing of CPU intensive tasks fi*om dedicated appliances to 
general purpose computers. 

Alternative Embodiments 

Although preferred embodiments are disclosed herein, many variations 
are possible which remain within the concept, scope, and spirit of the mvention, and 
these variations would become clear to those skilled in the art after perusal of this 
appUcation. 



11 
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1 . A method for operating a filer including the steps of: 
receiving at a first location a request fi-om a user for an object; 

5 processing said request at a second location, wherein said step of 

processing includes at least one of the following: (1) searching for one or more 
recognizable patterns of data within said object, (2) conq>ressing said object, and (3) 
encrypting said object; 

responding to said request, wherein said step of responding includes 
10 delivery of a response to said user. 

2. The method of claim 1, wherein said request is in an electronic form. 

3. The method of claim 1, wherein said object is a file. 

15 

4. The method of claim 3, wherein said step of processing said request 
further includes the steps of: 

creating an access path from said filer to a processing cluster; 
processing said file in said processing cluster; and 
20 generating a scan report wherein, said scan report is responsive to said 

processing of said file in said processing cluster. 

5. The method of claim 4, wherein said step of creating an access path 
includes sending the ID and path of said file firom said filer to said processing cluster. 

25 

6. The method of claim 5, wherein said step of sending is accon^lished 
using non-imiform memory access. 

7. The method of claim 5, wherein said step of sending is accomplished 
30 using a communications network. 
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8- The method of claun 5, wherein said step of sending is accomplished 
using a direct connection. 

9. The method of claim 4, wherein said step of processing of said file is 
5 performed by said processing cluster in a roimd robin fashion for subsequent files 

received. 

10. The method of claim 4, wherein said step of processing of said file 
is accomplished in parts by more than one device in said processing cluster. 



10 



1 1 . The method of claim 4, wherein all files stored on said filer are 
scanned in a logical continuous manner. 



12. The method of claim 4, wherein said scan report contains a set of - 
15 status data relating to said processing of said file. 

13. The method of claim 12, wherein said status data includes at least 
one data element identifying the presence or non-presence of a virus in said file. 

2® 14. The method of claim 13, wherein said report is transferred to said 

filer. 

15. The method of claim 14, wherein said rqport is stored in a first 
database. , ry^-^ :^.^'^-.::-:^ .'^- 

25 

16. The method of claim 15, \)dierein the necessity for subsequent w^^m?*^^^'^^^ 
scanning of said file is a function of determining whether said database contains said 
report relating to said file and whether said file has changed since last accessed. 
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1 7. The method of claim 1 6, wherein the necessity for subsequent 
scanning of said file is a function of detennining whether additional virus 
identification data files have been added to said processing chister. 

18. The method of claim 1, wherein said delivery of a response is said 

file. 



19. The method of claim 1 , wherein said delivery of a response 
mcludes notification to said user that said file is unavailable. 

20. The method of claim 1, wherein said step of responding to said ' 
request includes sending said user a copy of said scan report 

21. An apparatus for operating a filer including: 

means for receiving at a first location a request fiom a user for an 

object 

means for processing said request at a second location, wherein said 
means for processing includes at least one of the following: (1) means for searching 
for one or more recognizable patterns of data withm said object, (2) means for 
conq)ressing said object, and (3) means for encrypting said object: 

means for responding to said request, wherein said means for 
responding includes delivery of a response to said user. 

22. The apparatus ofclaim 21, wherein said object is a file. . 

23. The apparatus of claim 22, wherein said means for processing said 
request fiir&er includes: 

means for creating an access path &om said filer to a processing cluster; 
means for processing said file in said processing cluster and 
means for generating a scan report wherein, said scan r^ort is 
responsive to said processing of said file m said processing cluster. 

14 
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24. The apparatus of claim 23, wherein said means for creating an 
access path includes means for sending the ID and path of said file from said filer to 
said processing cluster. 

5 

25. The apparatus of claim 24, wherein said sending is accomplished 
using non-imiform memory access. 

26. The apparatus of claim 24, wherein said sending is accomplished 
10 using a communications netwoik. 

27. The apparatus of claim 24, wherein said sending is accomplished 
using a direct connectioiL 



28. The apparatus of claim 23, wherein said processing of said fQe is 
performed by said processing cluster in a round robin fashion for subsequent ffles 
received. 

29: The ^aratus of claim 23, wherein said processing of said file is 
20 performed on atomic units of said file by more than one device in said processing 
cluster. 

30. The apparatus of claim 23, wherein all files stored on said filer are 
scanned in a logical continuous manner. '\:-fr.'^'yai-\y-:'ir':''--'''\ 

25 

31. The apparatus of claim 23, wherein said scan report contains a set 
of status data relating to said processing of said file. 

32. The apparatus of claim 31, wherein said status data includes sA least 
30 one data element identifying the presence or non-presence of a virus in said file. 
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The apparatus of claim 31, wherein said report is transferred to said 



34. The ^paratus of claim 33, wherein said report is stored in a first 

database. 



35. The apparatus of claim 34, wherein the necessity for subsequent 
scanning of said file is a function of detennining whether said database contains said 
report relating to said file and whether said file has changed since last accessed. 

36. The apparatus of claim 35, wherem the necessity for subsequent 
scanning of said file is a function of detenmning wheflio- additional virus 
identification files have been added to said processing cluster. 

37. The ^paiatus of daim 21, wherein said delivery of a response is 
delivery of said file. 

38. The apparatus of claim 21, wherein said delivery of a response 
includes delivery of notification to said user that said file is unavailable. 

39. The ^paratus of claim 21, wherein said responding to said request 
iiicludes sending said user some portion of said scan report. 

* 

40. A method of attempting to provide virus protection in a client- 
server envirormient, comprising the steps of: 

receiAdng a request at a server for a file; 

sending an identifier for flie file to a scanning device that scans the file 

for viruses; 

receiving an indication from the scaiming device as to whedier or not 
the file is safe to said fijom the server; and 
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responding to the request by sending the file if the indication is that the 
file is safe to send. 



4 1 . A method as in claim 40, wherein the scaiming device indicates 
5 that the file is safe to send if the scanning device determines that the file is not 

infected with any viruses. 

42. A method as in claim 40, wherein the request is received from and 
the file is sent to a client device. 



10 



43. A method as in claim 40, wherein the server is a web server. 



44. A method as in claim 40, wherein the scanning device is one of a ■ 

cluster of devices connected to the server that fimction similarly to the scan^ 
15 device. 

45. Amethodasinclaim44, wherein the cluster of devices is a cluster 
of interconnected personal computers. 

2^ 46. A method of attempting to provide virus protection in a client- 

server environment, comprising the steps of: 

maintaining a database that indicates if files served by a server are safe 
to seiid from the servei^ 

receivmg a request at flie server for a file; " - >fe> - . 
25 ' if the database indicates that the file is safe to send, responding to the 

request by sending the file; and ■■■ v . ^.'^,-^.^,^v.^^^^>a.^%4ev•^^*-- :\ 

if the database does not indicate that the file is safe to send, then 
sending an identifier for the file to a scanning device that scans the file for viruses, 
receiving an indication fiom the scanning device as to whether ipr iiot the file is safe 

30 to send fiiom the server, and responding to the request by sending the file if the 
indication is diat the file is safe to s^d 

17 
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47. A method as in claim 46, wherein maintaining the database further 
comprises the steps of: 

tracking received indications from the scaiming device; and 
5 tracking accesses to the file. 

48. A method as in claim 47, wherein a tracked indication in the 
database that the file is safe to send is cancelled if the file has changed since tihe 
tracked indication was incorporated into die database. 

10 

49. A method as in claim 46, wherein the scanning device indicates 
that the file is safe to send if the scanning device determines that the file is not 
infected with any viruses. 

IS 50. A method as in claim 46, wherein die request is received from and 

the file is sent to a client device. 

51. A method as in claim 46, wherein the server is a web server. 

20 52. A method of attenQ)ting to provide virus protection in a client- 

server environment, comprising the steps of: 

receiving fix>m a server, at a scaiming device connected to the server, an 
identifier for a file stored on mass storage for the server; 
scanning the file for viruses; and 
25 reporting an indication to the server as to whether or not the file is 

infected 

53. A method as in claim 52, fruiher comprising the step of changing, 
deleting, or otherwise modifying the file based on a result of scanning the file for 
30 viruses. 
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54. A method as in claim 52, wherein the server is a web server 

55. A method as in claim 52, wherein the scanning device is one of a 
cluster of devices connected to the server that function similarly to the scanning 

5 device. 

56. A method as in claim 55, wherein the cluster of devices is a cluster 
of interconnected personal computers. 

^® 57. A server that attempts to provide virus protection in a client-server 

environment, comprising: 

a conununication lii]k to cUent dev^ 
mass storage for files; and 

a processor that executes instractions in order to send requested files to 
15 the client devices, the instructions also including instructions (a) to receive a request 
for a file, (b) to send an identifier for the file to a scanning device that scans the file 
for viruses, (c) to receive an indication fiwm the scanning device as to whether or not 
the file is safe to send fix>m the server, and (d) to respond to the request by sending 
the file if the indication is that the file is safe to send. 
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58. A server as in claim 57, wherein the scanning device indicates that 
the file is safe to send if the scannmg device determines that the file is not infected 
witii any \druses. 



59. A server as in claim 57, wherein the request is leceivedfiom and 
the file is sent to a client device..; .;.^r.<,.?v^vs*^5gg^5g^saf^^^^^^ . ■ • ■ • ^ .^^.^ ,. 

60. A server as in claim 57, wherein the sraver is a web server. 
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61 . A server as in claim 57, wherein the scanning device is one of a 
cluster of devices connected to the server that fiinction similarly to the scanning 
device. 



5 62. A server as in claim 61, wherein the cluster of devices is a cluster 

of interconnected personal computers. 

63 . A server that atten^ts to provide virus protection in a client-saver 
environmoit, comprising: 
10 a communication link to client devices; 

mass storage for files; and 

a processor that executes instructions in order to send requested files to 
the cli^ devices, the instructions also including instructions (a) to mainfain a 
database that indicates if files served by a server are safe to send Scorn, the server, (b) 

15 to receive a request at the server for a file, (c) if the database indicates that the file is 
safe to send, to respond to the request by sending the file, and (d) if the database does 
not indicate that the file is safe to send, then to send an identifier for the file to a 
scanning device that scans the file for viruses, to receive an indication fi-om the 
scanning device as to whether or not the file is safe to said fix>m fbe server, and to 

20 respond to the request by sending the file if the indication is that the file is safe to 
send. 



64. A server as in claim 63, wherein the instructions to maintain the 
database fiirtho- comprise instructions to track received indications fiom the scanning 

25 device, and to track accesses to the file. 

65. A server as in claim 64, wherein a tracked indication in the 
database that the file is safe to send is canceDed if the file has changed since the 
tracked indication was incorporated into the database. 

30 
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66. A server as in claim 63, wherein the scanning device indicates that 
the file is safe to send if the scanning device determines that the file is not infected 
with any viruses. 

5 67. A server as in claim 63, wherein the request is received ftom and 

the file is sent to a client device. 

68. A server as in claim 63, wherein the server is a web server, 

0 69. A scanning device that attempts to provide virus protection for a 

server in a client-server environment, comprising: 

a communicatioh link to the server arid 
z*-^-j;;ig^^:Kf>:f^^--.':-:T:^.^ proccssor that j^ecutes instructionis, the instractions including 

instructions (a) to receive from the server an identifier for a file stored on mass 
5 storage for the server, (b) to scan the file for viruses, and (c) to r^rt an indication to 

the server as to whether or not the file is infected. 

70. A scanning device as in claim 69, wherein Ihe instructions furth^ 
comprise mstructions to change, delete, or otherwise modify the file based on a result 

0 of scanning the file for viruses. 

71. A scanning device as in claim 69, wherein the server is a web 

server. 

> 

72. A scanning devicie as in claim 69, wherein the scamiing device is 
one of a cluster of devices conne»Qted to the server that fimction similarly to the 
scamiing device. 

73. A scanning device as in claim 72, wherein the cluster of devices is 
a cluster of interconnected personal conq)uters. 
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74. Storage containing information including instructions, the 
instructions executable by a processor to attempt to provide virus protection in a 
client-server environment, the instructions conq>iising the steps of: 

receiving a request at a server for a file; 

5 sending an identifier for the file to a scanning device that scans the file 

for viruses; 

receiving an indication fi-om the scanning device as to whetha- or not 
the file is safe to send fi-om the serv^ and ~ 

responding to the request by sliding tiie file if the indication is that the 
10 file is safe to send. 



15 
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75. Storage as in claim 74, wherein tlie scanning device indicates that 
the file is safe to send if the scanning device determines that the file is not infected 
with any viruses. 

76. Storage as in claim 74, wherein the request is received &om and the 
file is sent to a client device. 

77. Storage as in claim 74, wherein the server is a web server. 

78. Storage as in claim 74, v/her&n the scanning device is one of a 
cluster of devices connected to the server that fimction similarly to the scanning 
device. 



2^ 79. Storage as in claim 78, wherein the cluster of devices is a cluster of 

interconnected personal computers. 

80. Storage containing information including instructions, ittie 
instructions executable by a processor to attempt to provide virus protection in a 
30 client-server environment the instructions comprising the steps of: 
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maintaimng a database that indicates if files served by a server are safe 
to send from the server; 

receiving a request at the server for a file; 

if the database indicates that the file is safe to send, responding to the 
request by sending the file; and 

if the database does not indicate that the file is safe to send, then 
sending an identifier for the file to a scanning device that scans the file for viruses, 
receiving an indication fix)m the scanning device as to whether or not the file is safe 
to send from the server, and responding to the request by sending the file if the 
indication is ibaX the file is safe to send. 

81. Storage as in claim 80, wherein maintaining the database fruther 
. comprises the steps of: ^ 

tracking received indications from the scanning device; and 
tracking accesses to the file. 

82. Storage as in claim 81, wherein a tracked indication in the database 
that the file is safe to send is cancelled if the file has changed since the tracked 
indication was incorporated into the database. 

83. Storage as in claim 80, wherein the scanning device indicates that 
the file is safe to send if the scanning device determines that the file is not infected 
with any viruses. 



84. Storage as in claun 80, wherein the request is received from and the 

fileksentt 

85. Storage as in claim 80, wherein the server is a web server. 
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86. Storage containing information including instractions, the 
instructions executable by a processor to attempt to provide virus protection in a 
client-server environment, the instructions comprising the steps of: 

receiving from a server, at a scanning device connected to the server, an 
identifier for a file stored on mass storage for the server; 

scanning the file for viruses; and 

reporting an indication to the server as to whether or not the file is 

infected. 



87. Storage as in claim 86, wherein the instructions fiirther comprise 
the step of changing, deleting, or otherwise modifying the file based on a result of 
scanning the file for viruses. 

88. Storage as in claim 86, wherein the saver is a web server. 

89. Storage as in claim 86, wherein the scanning device is one of a 
cluster of devices connected to the server that fimction similarly to the scanning 
device. 



90. Storage as in claun 89, wherein the cluster of devices is a cluster of 
interconnected personal computers. 
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